DISARM Version 1.4 


DISARM update version 1.4 has been produced as part of the Horizon Funded project ADAC.io; 
“Attribution — Data — Analysis — Countermeasures — Interoperability”. This initial update focuses on 


delivering based on existing user feedback. 


Overview 


Large Changes 

T0085: Develop Text-Based Content 

( Added }T0085.005: Develop Book 

( Added |T0085.006: Develop Opinion Article 


Updated) T0085.002: Develop False or 


Altered Documents 
Removed}T0089.002: Create Inauthentic 
Documents 


T0019: Generate Information Pollution 
GEE T 00 19: Generate Information 
Pollution 
GREET 00 19.001: Create Fake Research 
(Removed}T0019.002: Hijack Hashtags 
(WHEE T0049: Flooding the Information 


Space 


Updated)T0049.002: Hijack Existing Hashtag 


T0011: Compromise Legitimate Accounts 
| Added |T0141: Acquire Compromised Asset 


Updated) 10011: Compromise Legitimate 


Accounts 
( Added )T0141.002: Acquire Compromised 
Website 


TAO8: Conduct Pump Priming 


GUVERD 10113: Employ Commercial 
Analytics Firms 


GE 100309: Bait Legitimate Influencers 


T0099: Prepare Assets Impersonating 
Legitimate Entities 

Updated)T0099: Prepare Assets 
Impersonating Legitimate Entities 
Updated)T0099.001: Astroturfing 

( Added }T0099.003: Impersonate Existing 
Organisation 

“Added }T0099.004: Impersonate Existing 
Media Outlet 

[ Added }T0099.005: Impersonate Existing 
Official 

Added JT0099.006: Impersonate Existing 
Influencer 


Small Changes 

Updated)T0097.001: Backstop Personas 
Updated)T0104.002: Dating Apps 
Updated)T0049: Flooding the Information 
Space 
Updated )TA15: Establish Social Assets 


Updated )TAO5: Microtarget 


Incidents 

( Added }for T0104.002: Dating Apps 
( Added }for T0141.001: Acquire 
Compromised Account 

(Added }for T0141.002: Acquire 
Compromised Website 


Request for Feedback 
TAO7: Select Channels and Affordances 
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Large Changes 


T0085: Develop Text-Based Content 


Added T0085.005: Develop Book 

Added T0085.006: Develop Opinion Article 

Updated T0085.002: Develop False or Altered Documents 
Removed T0089.002: Create Inauthentic Documents 


We've introduced two new sub-techniques to T0085: Develop Text-Based Content, to allow 
tagging of different types of text-based content. Let us know which other types of text-based 
content you'd like to be able to tag! 


None TAO6: Develop Content 
T0085: Develop Text-Based Content 
T0085.005: Develop Book 
Summary: Produce text content in the form of a book. 


This technique covers both e-books and physical books, 
however, the former is more easily deployed by threat 
actors given the lower cost to develop. 


None TAO6: Develop Content 
T0085: Develop Text-Based Content 
T0085.006: Develop Opinion Article 
Summary: Opinion articles (aka “Op-Eds” or “Editorials”) 
are articles or regular columns flagged as “opinion” 
posted to news sources, and can be contributed by 
people outside the organisation. 


Flagging articles as opinions allow news organisations 
to distinguish them from the typical expectations of 
objective news reporting while distancing the presented 
opinion from the organisation or its employees. 


The use of this technique is not by itself an indication of 
malicious or inauthentic content; Op-eds are a common 
format in media. However, threat actors exploit op-eds 

to, for example, submit opinion articles to local media to 
promote their narratives. 


Examples from the perspective of a news site involve 
publishing op-eds from perceived prestigious voices to 
give legitimacy to an inauthentic publication, or 
supporting causes by hosting op-eds from actors 
aligned with the organisation’s goals. 


T0085.003: Develop False or Altered Documents was also updated. Ideally we want Techniques 
to cover one unique behaviour, but this Technique had three potential implications; 


1. Text was presented in the form of a Document 
2. The document's text contained false information, and/or 
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3. The document’s text had been appropriated and altered from a previous legitimate source. 


Going forward this Technique will only imply that threat actors delivered text in the form of a 
document under the name T0085.004: Develop Document. 


By removing the requirement to assert that a document is false, analysts can focus on identifying 
the format that content was delivered in (rather than what it said). 


The alteration of existing legitimate documents can be tagged using the existing Technique 
T0089.003: Alter Authentic Documents (which also had a small typo in its summary fixed). 


To avoid causing issues with backwards compatibility, Develop Document was assigned a new ID, 
instead of keeping the ID used by Develop False or Altered Documents. 


TAO6: Develop Content TAO6: Develop Content 

T0085: Develop Text-Based Content T0085: Develop Text-Based Content 

T0085.002: Develop False or Altered Documents T0085.004: Develop Document 

Summary: None Summary: Produce text in the form of a document 
TAO6: Develop Content TAO6: Develop Content 

T0089: Obtain Private Documents T0089: Obtain Private Documents 

T0089.003: Alter Authentic Documents T0089.003: Alter Authentic Documents 

Summary: Alter authentic documents (public or non- Summary: Alter authentic documents (public or non- 
public) to achieve campaign goals. The altered public) to achieve campaign goals. The altered 
documents are intended to appear as if they are documents are intended to appear as if they are 
authentic can be "leaked" during later stages in the authentic and can be "leaked" during later stages in the 
operation. operation. 


While making this change, we removed T0089.002: Create Inauthentic Documents. 


The original design intent of this Technique was to document cases where defenders produce 
real-looking but inauthentic documents in places where a hacker is likely to steal them. This was 
a strategy employed by France in 2017; “a classic “cyber-blurring” strategy, well known to banks 
and corporations, creating false email accounts and filled them with phony documents the way a 
bank teller keeps fake bills in the cash drawer in case of a robbery.” 


As a defensive behaviour, this Technique doesn’t fit the Red framework, and can easily be 
confused with other document-based Techniques, so it made sense to deprecate the Technique. 


TAO6: Develop Content Removed 
T0089: Obtain Private Documents 

T0089.002: Create Inauthentic Documents 

Summary: Create inauthentic documents intended to 

appear as if they are authentic non-public documents. 

These documents can be "leaked" during later stages in 

the operation 
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T0019: Generate Information Pollution 
Moved T0019: Generate Information Pollution 

Moved T0019.001: Create Fake Research 

Removed T0019.002: Hijack Hashtags 

Updated T0049: Flooding the Information Space 

Updated T0049.002: Hijack Existing Hashtag 


Generate Information Pollution has been updated to be a Subtechnique of T0049: Flooding the 


Information Space, which better suits this Technique’s methods than its previous home of TAO6: 
Develop Content. Its summary has also been updated for clarity. 


TAO6: Develop Content TA17: Maximise Exposure 

T0019: Generate Information Pollution T0049: Flood Information Space 

Summary: Flood social channels; drive traffic/ T0049.008: Generate Information Pollution 
engagement to all assets; create aura/sense/perception Summary: Information Pollution occurs when threat 

of pervasiveness/consensus (for or against or both actors attempt to ruin a source of information by 
simultaneously) of an issue or topic. "Nothing is true, flooding it with lots of inauthentic or unreliable content, 
but everything is possible." Akin to astroturfing intending to make it harder for legitimate users to find 
campaign. the information they're looking for. 


This Subtechnique’s objective is to reduce exposure to 
target information, rather than promoting exposure to 
campaign content, for which the parent Technique 
T0049 can be used. 


Analysts will need to infer what the motive for flooding 
an information space was when deciding whether to use 
T0049 or TO0049.008 to tag a case when an information 
space is flooded. If such inference is not possible, 
default to T0049. 


This Technique previously used the ID T0019 


Generate Information Pollution’s sub-techniques are also being updated, and as part of this 
change T0019.002: Hijack Hashtags is being merged into T0049.002: Hijack Existing Hashtag. 


These Subtechniques essentially covered the same behaviour (i.e. the flooding of a hashtag) for 
different motives (ruining hashtag functionality in the former, and maximising exposure to 
campaign content in the latter). By updating T0049.002 to cover both motives (and updating its 
name to Flood Existing Hashtag in accordance), we free analysts to simply tag the observable 
behaviour of flooding a hashtag without requiring them to infer motive first. 


We considered instead introducing Pollute Existing Hashtag to allow analysts to tag the use of 


flooding a hashtag for the purpose of ruining a source of information when they are able to make 
this inference, but we decided this would risk causing confusion for not enough benefit. 
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TA17: Maximise Exposure 

T0049: Flooding the Information Space 
T0049.002: Hijack Existing Hashtag 

Summary: Take over an existing hashtag to drive 
exposure 


TAO6: Develop Content 

T0019: Generate Information Pollution 

T0019.002: Hijack Hashtags 

Summary: Hashtag hijacking occurs when users “[use] a 
trending hashtag to promote topics that are 
substantially different from its recent context” (VanDam 
and Tan, 2016) or “to promote one’s own social media 
agenda” (Darius and Stephany, 2019). 


TA17: Maximise Exposure 

T0049: Flood Information Space 

T0049.002: Flood Existing Hashtag 

Hashtags can be used by communities to collate 
information they post about particular topics (such as 
their interests, or current events) and users can find 
communities to join by exploring hashtags they’re 
interested in. 


Threat actors can flood an existing hashtag to try to ruin 
hashtag functionality, posting content unrelated to the 
hashtag alongside it, making it a less reliable source of 
relevant information. They may also try to flood existing 
hashtags with campaign content, with the intent of 
maximising exposure to users. 


This Technique covers cases where threat actors flood 
existing hashtags with campaign content. 


This Technique covers behaviours previously 
documented by T0019.002: Hijack Hashtags, which has 
since been deprecated. This Technique was previously 
called Hijack Existing Hashtag. 


Removed 


Create Fake Research has been updated to be a sub-technique of Develop Text-Based Content. 
With Generate Information Pollution’s move to Flooding the Information Space, this felt like a 
good time to move Create Fake Research to a Technique which better encapsulates it, and gives 
our users the freedom to tag inauthentic research when it’s used in non-polluting campaigns; 
threat Actors can use any type of content to pollute an information environment, and inauthentic 
research can be used in operations that aren’t intending to pollute an information environment. 


TAO6: Develop Content 

T0019: Generate Information Pollution 

T0019.001: Create Fake Research 

Summary: Create fake academic research. Example: fake 
social science research is often aimed at hot-button 
social issues such as gender, race and sexuality. Fake 
science research can target Climate Science debate or 
pseudoscience like anti-vaxx 


TAO6: Develop Content 

T0085: Develop Text-Based Content 

T0085.007: Create Fake Research 

Summary: Create fake academic research. Example: fake 
social science research is often aimed at hot-button 
social issues such as gender, race and sexuality. Fake 
science research can target Climate Science debate or 
pseudoscience like anti-vaxx 


This Technique previously used the ID T0019.001 
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T0011: Compromise Legitimate Accounts 
Added T0141 Acquire Compromised Asset 

Updated & Moved T0011: Compromise Legitimate Accounts 
Added T0141.002: Acquire Compromised Website 


Previously T0011: Compromise Legitimate Accounts was the only way to tag cases where threat 
actors compromised existing assets to distribute content. 


We've introduced the new T0141: Acquire Compromised Asset to provide a broad Technique 
which can cover cases where things other than accounts are taken over by threat actors, along 
with specific sub-techniques for hacking into accounts and websites. 


None TA15: Establish Assets 
T0141: Acquire Compromised Asset 
Summary: Threat Actors may take over existing assets 
not owned by them through nefarious means, such as 
using technical exploits, hacking, purchasing 
compromised accounts from the dark web, or social 


engineering. 
TA16: Establish Legitimacy TA15: Establish Assets 
T0011: Compromise Legitimate Accounts T0141: Acquire Compromised Asset 
Summary: Hack or take over legitimate accounts to T0141.001: Acquire Compromised Account 
distribute misinformation or damaging content Summary: Threat Actors can take over existing users’ 


accounts to distribute campaign content. 


The actor may maintain the asset’s previous identity to 
capitalise on the perceived legitimacy its previous owner 
had cultivated. 


The actor may completely rebrand the account to 
exploit its existing reach, or relying on the account’s 
history to avoid more stringent automated content 
moderation rules applied to new accounts. 


See also [Mitre ATT&CK’s T1586 Compromise 

Accounts] (https://attack.mitre.org/techniques/T1586/) 
for more technical information on how threat actors may 
achieve this objective. 


This Technique was previously called Compromise 
Legitimate Accounts, and used the ID T0011. 
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None 


TA15: Establish Assets 

T0141: Acquire Compromised Asset 

T0141.001: Acquire Compromised Website 
Summary: Threat Actors may take over existing 
websites to publish or amplify inauthentic narratives. 
This includes the defacement of websites, and cases 
where websites’ personas are maintained to add 
credence to threat actors’ narratives. 


See also [Mitre ATT&CK’s T1584 Compromise 
Infrastructure] (https://attack.mitre.org/techniques/ 
T1584/) for more technical information on how threat 
actors may achieve this objective. 


TOO99: Prepare Assets Impersonating Legitimate Entities 
Updated T0099: Prepare Assets Impersonating Legitimate Entities 


Updated T0099.001: Astroturfing 


Added T0099.003: Impersonate Existing Organisation 
Added T0099.004: Impersonate Existing Media Outlet 


Added T0099.005: Impersonate Existing Official 


Added T0099.006: Impersonate Existing Influencer 


We're introducing sub-techniques to T0099: Prepare Assets Impersonating Legitimate Entities, in 
order to allow tracking of which types of existing entities are being impersonated. We're also 
renaming TO099 to Impersonate Existing Entity, which is shorter, and doesn’t require a value 


judgement on what “legitimate” entities are. 


TA16: Establish Legitimacy 

TOO99: Prepare Assets Impersonating Legitimate 
Entities 

Summary: An influence operation may prepare assets 
impersonating legitimate entities to further conceal its 
network identity and add a layer of legitimacy to its 
operation content. Users will more likely believe and 
less likely fact-check news from recognisable sources 
rather than unknown sites. Legitimate entities may 
include authentic news outlets, public figures, 
organisations, or state entities. An influence operation 
may use a wide variety of cyber techniques to 
impersonate a legitimate entity’s website or social 
media account. Typosquatting87 is the international 
registration of a domain name with purposeful 
variations of the impersonated domain name through 
intentional typos, top-level domain (TLD) manipulation, 
or punycode. Typosquatting facilitates the creation of 
falsified websites by creating similar domain names in 
the URL box, leaving it to the user to confirm that the 
URL is correct. 


TA16: Establish Legitimacy 

TOO99: Impersonate Existing Entity 

Summary: An influence operation may prepare assets 
impersonating existing entities (both organisations and 
people) to further conceal its network identity and adda 
layer of legitimacy to its operation content. Existing 
entities may include authentic news outlets, public 
figures, organisations, or state entities. 


Users will more likely believe and less likely fact-check 
news from recognisable sources rather than unknown 
sites. 


An influence operation may use a wide variety of cyber 
techniques to impersonate a legitimate entity's website 


or social media account. 


This Technique was previously called Prepare Assets 
Impersonating Legitimate Entities 
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None 


None 


None 


None 


TA16: Establish Legitimacy 

T0099: Impersonate Existing Entity 

T0099.003: Impersonate Existing Organisation 
Summary: A situation where a threat actor styles their 
online assets or content to mimic an existing 
organisation. 


This can be done to take advantage of peoples’ trust in 
the organisation to increase narrative believability, to 
smear the organisation, or to make the organisation less 
trustworthy. 


TA16: Establish Legitimacy 

T0099: Impersonate Existing Entity 

T0099.004: Impersonate Existing Media Outlet 
Summary: A situation where a threat actor styles their 
online assets or content to mimic an existing media 
outlet. 


This can be done to take advantage of peoples’ trust in 
the outlet to increase narrative believability, to smear 
the outlet, or to make the outlet less trustworthy. 


TA16: Establish Legitimacy 

T0099: Impersonate Existing Entity 

T0099.005: Impersonate Existing Official 

Summary: A situation where a threat actor styles their 
online assets or content to impersonate an official 
(including government officials, organisation officials, 
etc). 


TA16: Establish Legitimacy 

T0099: Impersonate Existing Entity 

T0099.006: Impersonate Existing Influencer 
Summary: A situation where a threat actor styles their 
online assets or content to impersonate an influencer or 
celebrity, typically to exploit users’ existing faith in the 
impersonated target. 


As part of this change Astroturfing was renamed, and transitioned from a Subtechnique of 
Prepare Assets Impersonating Legitimate Entities to being its own top-level Technique. 
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TA16: Establish Legitimacy 

TOO99: Prepare Assets Impersonating Legitimate 
Entities 

T0099.001: Astroturfing 

Summary: Astroturfing occurs when an influence 
operation disguises itself as grassroots movement or 
organization that supports operation narratives. Unlike 
butterfly attacks, astroturfing aims to increase the 
appearance of popular support for the operation cause 
and does not infiltrate existing groups to discredit their 
objectives 


TAO8: Conduct Pump Priming 


TA16: Establish Legitimacy 

T0142: Fabricate Grassroots Movement 
Summary: This technique, sometimes known as 
"astroturfing", occurs when an influence operation 
disguises itself as a grassroots movement or 
organisation that supports operation narratives. 


Astroturfing aims to increase the appearance of popular 
support for an evolving grassroots movement in 
contrast to "Utilise Butterfly Attacka", which aims to 
discredit an existing grassroots movement. 


This Technique was previously called Astroturfing, and 
used the ID TO0099.001 


Moved T0113: Employ Commercial Analytics Firms 


Moved T0039: Bait Legitimate Influencers 


We've heard feedback from a lot of our users that Conduct Pump Priming is a confusing Tactic 
which doesn't provide much value. Based on this, we're beginning to update Techniques housed 
there with a view to retiring Conduct Pump Priming entirely in future updates. 


Employ Commercial Analytic Firms previously sat under Conduct Pump Priming in the Execute 
Phase, but deep analysis of a target audience is likely something that would be undertaken much 


earlier in an operation. 


We considered both Target Audience Analysis, Microtarget, and Establish Assets as new homes 
for the Technique. We landed on the latter given that the firm is an asset that threat actors are 


establishing by employing them. 


PO3: Execute 

TAO8: Conduct Pump Priming 

T0113: Employ Commercial Analytics Firms 
Summary: Commercial analytic firms collect data on 
target audience activities and evaluate the data to 
detect trends, such as content receiving high click-rates. 
An influence operation may employ commercial analytic 
firms to facilitate external collection on its target 
audience, complicating attribution efforts and better 
tailoring the content to audience preferences. 


P01: Plan 

TA15: Establish Assets 

T0113: Employ Commercial Analytics Firms 
Summary: Commercial analytic firms collect data on 
target audience activities and evaluate the data to 
detect trends, such as content receiving high click-rates. 
An influence operation may employ commercial analytic 
firms to facilitate external collection on its target 
audience, complicating attribution efforts and better 
tailoring the content to audience preferences. 


Bait Legitimate Influencers describes trying to trick existing influencers into amplifying campaign 
content to their network, but this doesn’t match its parent Tactic Conduct Pump Priming. We 
considered several new Tactics for the Technique, including Deliver Content (it’s a method of 
delivering content) and Microtarget (it targets very specific individuals), but we landed on 
Maximise Exposure, as it most closely matches the Technique’s goal of exposing campaign 


content to a wider audience. 
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We also took the opportunity to refine the Tactic’s Name and Summary, for conciseness and 


clarity. 


PO3: Execute 

TAO8: Conduct Pump Priming 

T0039: Bait Legitimate Influencers 

Summary: Credibility in a social media environment is 
often a function of the size of a user's network. 
"Influencers" are so-called because of their reach, 
typically understood as: 1) the size of their network (i.e. 
the number of followers, perhaps weighted by their own 
influence); and 2) The rate at which their comments are 
re-circulated (these two metrics are related). Add 
traditional media players at all levels of credibility and 
professionalism to this, and the number of potential 
influencial carriers available for unwitting amplification 
becomes substantial. By targeting high-influence 
people and organisations in all types of media with 
narratives and content engineered to appeal their 
emotional or ideological drivers, influence campaigns 
are able to add perceived credibility to their messaging 
via saturation and adoption by trusted agents such as 
celebrities, journalists and local leaders. 


Small Changes 


Updated T0097.001: Backstop Personas 
Updated T0104.002: Dating Apps 


Updated T0049: Flooding the Information Space 


Updated TA15: Establish Social Assets 
Updated TAOS: Microtarget 


P03: Execute 

TA17: Maximise Exposure 

T0039: Bait Influencer 

Summary: Influencers are people on social media 
platforms who have large audiences. 


Threat Actors can try to trick Influencers such as 
celebrities, journalists, or local leaders who aren't 
associated with their campaign into amplifying 
campaign content. This gives them access to the 
Influencer’s audience without having to go through the 
effort of building it themselves, and it helps legitimise 
their message by associating it with the Influencer, 
benefitting from their audience’s trust in them. 


TO0097.001 Backstop Personas has been renamed to TO097.001 Produce Evidence for Persona in 
an effort to reduce reliance on industry terminology and make Techniques clearer at the 
framework level. It has also received an updated summary. 
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TA16: Establish Legitimacy TA16: Establish Legitimacy 


T0097: Create Persona T0097: Create Persona 

T0097.001: Backstop Personas T0097.001: Produce Evidence for Persona 
Summary: Create other assets/dossier/cover/fake Summary: People may produce evidence which 
relationships and/or connections or documents, sites, supports the persona they are deploying (T0097) (aka 
bylines, attributions, to establish/augment/inflate “backstopping” the persona). 


crediblity/believability 
This Technique covers situations where evidence is 
developed or produced as part of an influence operation 
to increase the perceived legitimacy of a persona used 
during IO, including creating accounts for the same 
persona on multiple platforms. 


The use of personas (T0097), and providing evidence to 
improve people’s perception of one’s persona 
(TO0097.001), are not necessarily malicious or 
inauthentic. However, sometimes people use personas 
to increase the perceived legitimacy of narratives for 
malicious purposes. 


This Technique was previously called Backstop 


Personas. 


We've added a summary to T0104.002: Dating App, and introduced a new Incident showing the 
use of dating apps in an operation. 


TAO7: Select Channels and Affordances TAO7: Select Channels and Affordances 

T0104: Social Networks T0104: Social Networks 

T0104.002: Dating Apps T0104.002: Dating App 

Summary: None Summary: “Dating App” refers to any platform (or 


platform feature) in which the ostensive purpose is for 
users to develop a physical/romantic relationship with 
other users. 


Threat Actors can exploit users’ quest for love to trick 
them into doing things like revealing sensitive 
information or giving them money. 


Examples include Tinder, Bumble, Grindr, Facebook 


Dating, Tantan, Badoo, Plenty of Fish, hinge, LOVOO, 
OkCupid, happn, and Mamba. 


T0049: Flooding the Information Space's definition has been tweaked to allow for users to tag the 
flooding of information spaces other than social media feeds, and has had its name shortened 
slightly. 
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TA17: Maximise Exposure 

T0049: Flooding the Information Space 

Summary: Flooding and/or mobbing social media 
channels feeds and/or hashtag with excessive volume of 
content to control/shape online conversations and/or 
drown out opposing points of view. Bots and/or patriotic 
trolls are effective tools to acheive this effect 


TA17: Maximise Exposure 

T0049: Flood Information Space 

Summary: Flooding sources of information (e.g. Social 
Media feeds) with a high volume of inauthentic content. 


This can be done to control/shape online conversations, 
drown out opposing points of view, or make it harder to 
find legitimate information. 


Bots and/or patriotic trolls are effective tools to achieve 
this effect 


TA15 has been renamed from Establish Social Assets to Establish Assets, to match the wide 
variety of asset types the Tactic encapsulates. Its summary has not been changed at this time. 


TA15: Establish Social Assets 

Summary: Establishing information assets generates 
messaging tools, including social media accounts, 
operation personnel, and organisations, including 
directly and indirectly managed assets. For assets under 
their direct control, the operation can add, change, or 
remove these assets at will. Establishing information 
assets allows an influence operation to promote 
messaging directly to the target audience without 
navigating through external entities. Many online 
influence operations create or compromise social media 
accounts as a primary vector of information 
dissemination. 


TA15: Establish Assets 

Summary: Establishing information assets generates 
messaging tools, including social media accounts, 
operation personnel, and organisations, including 
directly and indirectly managed assets. For assets under 
their direct control, the operation can add, change, or 
remove these assets at will. Establishing information 
assets allows an influence operation to promote 
messaging directly to the target audience without 
navigating through external entities. Many online 
influence operations create or compromise social media 
accounts as a primary vector of information 
dissemination. 


TAOS: Microtarget’s summary has been updated to better differentiate it from TA13: Target 


Audience Analysis. 


TAOS: Microtarget: 
Summary: Target very specific populations of people 


Incidents 


TAOS: Microtarget: 

Summary: Actions taken which help target content to 
specific audiences identified and analysed as part of 
TA13: Target Audience Analysis 


Incidents in the DISARM Red Framework are intended to provide examples of real-world use of 
Techniques, to help users better understand and contextualise behaviours. This update sees three 
new Incidents introduced covering the following Techniques: 


e 10141.001: Acquire Compromised Account 
e 10141.002: Acquire Compromised Website 
e 10104.002: Dating App 
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Request for Feedback 


TAO7: Select Channels and Affordances 


Issue: Overlap in platforms between T0103: Livestream, T0104: Social 
Networks, and T0104: Media Sharing Networks 


We're aware that there is some overlap between Techniques within TAO7: Select Channels and 
Affordances, particularly in T0104 and T0105. For example, a platform like Instagram might fit in 
T0104.001: Mainstream Social Networks, but also could be categorised under T0105: Media 
Sharing Networks, any one of its sub-techniques for Photo, Video, and Audio sharing, and even 
T0103: Livestream and its sub-techniques. 


DISARM is working on getting its framework integrated with STIX and OpenCTI. As part of this 
work, users will be able to tag the specific platform that an operation is using by choosing from a 
STIX Open Vocabulary. As such we need to think about what the purpose of TAO7: Select 
Channels and Affordances is in a post-STIX DISARM. One avenue we're considering is listing 
platform features exploited by threat actors, rather than platform grouping. 


There are examples of both in the framework under T0104; T0104.001: Mainstream Social 
Networks is a ‘platform grouping’ style technique, listing platforms considered ‘mainstream’, 
where T0104.002: Dating Apps is a ‘platform feature’ style technique, describing a feature which 
could exist on many platforms. 


Feature focused techniques are less likely to become outdated, and provide a useful aggregation 
which can exist alongside STIX’s individual platform tagging capabilities; we could use STIX tag 
that Facebook was used, but indicate that the “Facebook Dating” feature specifically was 
exploited using T0104.002, or “Facebook Live” using T0103.001: Video Livestream, etc. 


This change would require a large rework of many Techniques and sub-techniques in TAO7. 
Before undertaking such an effort, we wanted to give the community a chance to tell us what 
version of TAO7 would most useful; 


. What kinds of Techniques do you think would be most useful under TA07? 
° What kind of platform features would you like to catalogue using DISARM? 
° Do you have any alternative suggestions for how we should restructure TAO7? 


Please reach out on info@disarm.foundation if you have any feedback, or would be interested in 
having a discussion with a member of the DISARM team. 
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